Dashboards not using System Proxy

Hello there,
I am trying to connect to Open ID auth in Dashboards but it not connecting to IDp and connection is getting timeout. Found a solution for same in Kibana is there some setting like that also present here

Thanks for the help in advance

@manikya
What IDp are you using, also area you able to provide config.yaml and dashboards.yaml file? Redact any sensitive details if necessary

I am using my corporate IDp for the SSO which is behind proxy. I have setup the proxy in jvm.options for Opensearch and also in my ubuntu machine in system variable. When I send the IDp auth token to opensearch I am able to get response.

Dashboard config file-
opensearch.hosts: [“http://localhost:9200”]
opensearch.ssl.verificationMode: none
opensearch.username: “kibanaserver”
opensearch.password: “kibanaserver”
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [“Global”, “Private”]
opensearch_security.readonly_mode.roles: [“kibana_read_only”]

Use this setting if you are running kibana without https

server.host: “0.0.0.0”
server.basePath: “/dashboard”
server.rewriteBasePath: true

Enable OpenID authentication

#opensearch_security.auth.type: “openid”

The IdP metadata endpoint

opensearch_security.openid.connect_url: “IDP Well Known Endpoint”

The ID of the OpenID Connect client in your IdP

opensearch_security.openid.client_id: “<client -id>”

The client secret of the OpenID Connect client

opensearch_security.openid.client_secret: “client-secret”

opensearch_security.openid.scope: “openid email profile”
opensearch_security.openid.base_redirect_url: “<redirect - URI>”

@manikya
Can you provide the config.yml?
Also, is below line suppose to be commented out?
#opensearch_security.auth.type: “openid”

#opensearch_security.auth.type: “openid” ← Not supposed to be commented out.

Config.yml file which I am using

_meta:
type: “config”
config_version: 2

config:

dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
http:
anonymous_auth_enabled: false
xff:
enabled: false
#internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
internalProxies: ‘.*’ # trust all internal proxies, regex pattern
#remoteIpHeader: ‘x-forwarded-for’
###### see Pattern (Java Platform SE 7 ) for regex help
###### more information about XFF X-Forwarded-For - Wikipedia
###### and here RFC 7239: Forwarded HTTP Extension
###### and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
authc:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: display_name
roles_key: roles
openid_connect_url:
authentication_backend:
type: noop
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal

@manikya
The first link you posted (xpack.fleet.registry) seems to be for reaching the Elastic Package manager registry behind a proxy.

There is no additional configuration needed to to make Opensearch work.

Therefore I would focus on the config, did you remove the # from the below:
#opensearch_security.auth.type: “openid”

Can you also confirm openid_connect_url in config.yml is filled in.

Also, can you copy the same value from openid_connect_url to dashboards.yml under:

opensearch_security.openid.connect_url:

@Anthony
I have uncommented this line-> #opensearch_security.auth.type: “openid” from opensearch dashboard config
And it is same which is filled in config.yml → openid_connect_url

My opensearch is connecting to openID servers because I set -Dhttp.proxyHost and -Dhttp.proxyPort

Is there any same settings for Opensearch Dashboards

@manikya I think that setting is only for Elastic Agent setup. According to the docs at least.

I would recommend to remove those settings and focus on the rest of the config.

The problem as I understand it is that OpenSearch Dashboards for OP is installed in environment where you require an HTTP/HTTPS Proxy to connect to the outside world.

Last time I researched this OpenSearch Dashboards does not support setting a proxy, even if the underlying software does.

I went ahead and created an issue on this: Support httpsProxy in OpenSearch Dashboards for OIDC support · Issue #911 · opensearch-project/security-dashboards-plugin · GitHub

The workaround we used was to use netcat locally and setup a host alias to make all requests to our OIDC vendor go through our proxy. It’s kind of “dirty”, but works.